Identity Cloud

Synchronization situations and actions

The synchronization process assesses source and target objects, and the links between them, and then determines the synchronization situation that applies to each object. The process then performs a specific action, usually on the target object, depending on the assessed situation.

The action that is taken for each situation is defined in the policies section of your synchronization mapping.

The following excerpt of a sample mapping shows the defined actions in that sample:

{
    "policies": [
        {
            "situation": "CONFIRMED",
            "action": "UPDATE"
        },
        {
            "situation": "FOUND",
            "action": "LINK"
        },
        {
            "situation": "ABSENT",
            "action": "CREATE"
        },
        {
            "situation": "AMBIGUOUS",
            "action": "IGNORE"
        },
        {
            "situation": "MISSING",
            "action": "IGNORE"
        },
        {
            "situation": "SOURCE_MISSING",
            "action": "DELETE"
        },
        {
            "situation": "UNQUALIFIED",
            "action": "IGNORE"
        },
        {
            "situation": "UNASSIGNED",
            "action": "IGNORE"
        }
    ]
}

Configure situations and actions using the IDM admin UI

  1. From the IDM console, click Native Consoles > Identity Management.

  2. From the navigation bar, click Configure > Mappings, and click the mapping to edit.

  3. Click the Behaviors tab, expand the Situational Event Scripts node, and configure event actions.

  4. Click Save.

If you do not define an action for a particular situation, IDM takes the default action for that situation.

Exercise special care when setting the Source Missing situation (default value: Async).

When you link a record between an external authoritative application and Identity Cloud and delete the account on the authoritative source while it still exists in Identity Cloud, you can set the Source Missing situation to the inbound mapping action of DELETE to trigger the deletion of the corresponding Identity Cloud account. If you do not set Source Missing to DELETE and use the default value Async, no action will be taken.

However, it’s crucial to understand that there may be reasons to retain the account in Identity Cloud even if you remove the corresponding account from the authoritative source. Reasons can include downstream auditing, business logic, or other considerations that require careful evaluation of the potential implications of this action.

Copyright © 2010-2024 ForgeRock, all rights reserved.